malwarewikiaorg-20200223-history
Brain
Brain was the first full-stealth virus on MS-DOS. It infects 360KB-, 5.25-inch floppy disks. It is sometimes mistakenly referred to as the first virus. In reality, it was simply among the first to infect removable media. Brain is one of the only viruses in existence that contains the valid names, phone numbers and addresses of the creators. Basit and Amjad Farooq Alvi, of the Chahmiran neighborhood, in Lahore, Pakistan created the virus to infect machines running pirated copies of a program he sold for physicians. Brain gets its name from the fact that it changes the name of the disk volume label to "© brain". Sometimes the copyright symbol or © is added before the word Brain, making the name Brain. The creators likely chose the name because the name of their store was "Brain Computer Services". As this virus came before there was even any pretense at coherent virus naming, it can go by a few other names, but few publications or antivirus companies today use any name other than Brain. The other names can include Pakistani Flu, Lahore, Pakistani'','' Basit Virus and'' UIUC. Payload When an infected disk is booted, the Brain virus will run with it. The virus will hook the INT 13h interrupt, used for writing and reading to the disks. The virus installs itself into the memory and takes up memory in the range of 3-7 kilobytes. It does not infect the hard disk, but will infect any other floppy disk accessed while it is in memory. The disks can be infected by being accessed in any way. The virus then stores the original boot sector and six extension sectors containing the main body of the virus in the disk's available sectors, which are then flagged as bad (to not be suspicious). Infected disks will have 3 kilobytes or more of bad sectors, as most usually have none or as many as 5 kilobytes of genuinely bad sectors. It renames the disk's volume label with "©brain". The virus has stealth capabilities, because any time infected sectors are accessed, the accessing program will be redirected to the stored original boot sector. This is a result of the INT 13h hooking. An early disk utility such as PC Tools, Norton Utilities or PC Medic ''would be unable to see the virus. Brain carries a message that is never displayed, but can be seen with a binary editor in every infected disk: Welcome to the Dungeon © 1986 Basit & Amjad (pvt) Ltd. BRAIN COMPUTER SERVICES 730 NIZAB BLOCK ALLAMA IQBAL TOWN LAHORE-PAKISTAN PHONE :430791,443248,280530. Beware of this VIRUS.... Contact us for vaccination............ $#@%$@!! This virus can be deleted by another virus, Denzuko, another boot malware. Removal Use MDisk, F-Prot, NAV, or DOS SYS command. The virus does no intentional damage, although it may slow down disk access and cause timeouts, which can make some disks unusable. The first problems with the virus were not reported until about a year later. In 1987, computer users at the University of Delaware reported seeing the ©Brain label on their disks. 100 machines were infected at the Providence Journal-Bulletin in 1988. One reporter, Froma Joselow, claimed to have lost several months of work contained on a floppy disk (hard to imagine today, but quite possible, given the size of files in 1988). Variants Probably because Brain was such an early virus, there were few people interested in creating variants of the virus. Still, a few minor variations of the virus do exist. Most of them are simple changes to the text. Brain.B This variant can infect the hard drive. Brain.C Brain.C, like B can infect the hard drive, but it does not change the volume label. Brain.Clone Similar to Brain.C, but the messages are removed and replaced with non-printable code that looks like random characters in a binary editor. Brain.Clone.B This is a subvariant of Clone corrupts the File Allocation Table (FAT) if it is booted after 1992.05.05. Brain.Shoe This one is similar to Brain.B in most ways, except the message is modified to say Welcome to the Dungeon © 1986 Brain & Amjads (pvt) Ltd. VIRUS_SHOE RECORD v9.0 Dedicated to the dynamic memories of millions of virus who are no longer with us today - Thanks GOODNESS!! BEWARE OF THE er..VIRUS :This program is catching program follows after these messeges..... $#@%$@!! This variant is also known as Ashar, and some sources say that it may actually be older than the original. Brain.Shoe.B There are some disagreements on this virus. There is a version of the Shoe variant that cannot infect hard disks and one in which the v9.0 has been changed to v9.1 Brain.TerseShoe In this variant, the message is truncated in one line. Brain.Jork This variant contains the text "© Jork & Amjads (pvt) Ltd". Brain.Singapore The copyright date on this virus is 1988 as opposed to 1986. The text through to the addresses and phone numbers of the creators is the same. After the phone numbers, it contains some different text: Ver (Singapore) Beware of this "virus". It will transfer to a million of Diskettes... $#@%$@!! Media Virus.Boot.Brain (First IBM PC Virus, 20,000 subscriber special)|A video of Brain in action. References David Stang. National Computer Security Association, Information on the Brain Virus And Variants Virus Report, Brain Virus Philip Elmer-Dewitt. Time, "Invasion of the Data Snatchers". 1988.09.26 The New York Times, Newspaper's Computer Is Infected With a 'Virus'. 1988.05.25 Trend Micro Antivirus, (C)BRAIN Wiki Books, Brain Assembly Source Hasan Mubarak. Metablogging Lahore, Lahore's 5th Gift to the World: Virus Threat Realization. 2006.12.04 Jeremy Paquette. Security Focus, A History of Viruses 2000.07.17 Joe Hirst. British Computer Virus Research Centre, List of Known PC VirusesCategory:Virus Category:Boot sector virus Category:Virus from 1980s Category:First Category:DOS Category:DOS virus Category:Stealth virus Category:Assembly